Risk Management and Healthcare Policy (Jun 2024)
Security Risk Assessment for Patient Portals of Hospitals: A Case Study of Taiwan
Abstract
Pei-Cheng Yeh,1,2 Kuen-Wei Yeh,3– 5 Jiun-Lang Huang6,7 1Graduate Institute of Clinical Dentistry, School of Dentistry, College of Medicine, National Taiwan University, Taipei, Taiwan, Republic of China; 2Division of Endodontics, Department of Stomatology, Taichung Veterans General Hospital, Taichung, Taiwan, Republic of China; 3Investigation Bureau, Ministry of Justice, New Taipei City, Taiwan, Republic of China; 4Department of Electrical Engineering, Chinese Culture University, Taipei, Taiwan, Republic of China; 5Department of Information, Chinese Culture University, Taipei, Taiwan, Republic of China; 6Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan, Republic of China; 7Graduate Institute of Electronics Engineering, National Taiwan University, Taipei, Taiwan, Republic of ChinaCorrespondence: Kuen-Wei Yeh, Email [email protected]: Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR).Objective: This work aims to evaluate the patient portal security risk of Taiwan’s EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type.Methods: We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests.Results: We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as “absolute low risk”, 104 hospital patient portals as “low to medium risk”, 99 hospital patient portals as “medium to high risk” and 150 hospital patient portals as “high risk”. Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type (P< 0.001).Conclusion: The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.Keywords: security risk assessment, healthcare information system, electronic health record, electronic medical record, EMR Exchange Center, vulnerability scanner